Prepare for
Upgrade

Prepare for Upgrade

Before you start the upgrade process, ensure that you perform the following tasks:

Note

In a multinode deployment with Primary and Secondary PANs, monitoring dashboards and reports might fail after upgrade because of a caveat in data replication. See CSCvd79546 for details. As a workaround, perform a manual synchronization from the Primary PAN to the Secondary PAN before initiating upgrade.

Note

If you are currently on Release 2.0.1 on an SNS-3415 appliance, you cannot upgrade to Release 2.1 because of an exception. See CSCva96507 for details. As a workaround, reimage the SNS-3415 appliance, perform a fresh installation of Cisco ISE, Release 2.1, and restore backup from Release 2.0.1.

Apply Latest Patch to Your Current Cisco ISE Version Before Upgrade

Change VMware
Virtual Machine Guest Operating System and Settings

If you are upgrading
Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating
System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down
the VM, change the Guest Operating System to RHEL 7, and power on the VM after
the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to
change the network adapter type before you upgrade.

Remove Non-English Characters From Sponsor Group Names

Prior to release 2.2, if you have created sponsor groups with non-English characters, before upgrade, be sure to rename the sponsor groups and use only English characters.

Cisco ISE, Release 2.2 and later does not support non-English characters in sponsor group names.

Firewall Ports That
Must be Open for Communication

If you have a
firewall deployed between your primary Administration node and any other node,
the following ports must be open before you upgrade:

When Cisco ISE is run on VMware, Vmware snapshots are not supported for backing up ISE data.

VMware snapshot saves the status of a VM at a given point of time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. Cisco recommends that you use the backup functionality included in Cisco ISE for archival and restoration of data.

Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node.

You can also obtain the configuration and operational data backup from
the Cisco ISE Admin Portal. Ensure that you have created repositories for
storing the backup file. Do not back up using a local repository. You cannot
back up the monitoring data in the local repository of a remote Monitoring
node. The following repository types are not supported: CD-ROM, HTTP, HTTPS, or
TFTP. This is because, either these repository types are read-only or the
protocol does not support file listing.

Choose
Administration > System > Backup and
Restore.

Click
Backup Now.

Enter the values as required to perform a backup.

Click
OK.

Verify that the backup completed successfully.

Cisco ISE appends the backup filename with a timestamp and stores
the file in the specified repository. In addition to the timestamp, Cisco ISE
adds a CFG tag for configuration backups and OPS tag for operational backups.
Ensure that the backup file exists in the specified repository.

In a distributed deployment, do not change the role of a node or
promote a node when the backup is running. Changing node roles will shut down
all the processes and might cause some inconsistency in data if a backup is
running concurrently. Wait for the backup to complete before you make any node
role changes.

Back Up System Logs
from the Primary Administration Node

Obtain a backup of the system logs
from the Primary Administration Node from the Command Line Interface (CLI). The
CLI command is:

Check the Validity
of Certificates

The upgrade process fails if any
certificate in the Cisco ISE Trusted Certificates or System Certificates store
has expired. Ensure that you check the validity of the certificates in the
Trusted Certificate and System Certificates store, and renew them, if necessary
before upgrade.

Export Certificates
and Private Keys

We recommend that
you export:

All local
certificates (from all the nodes in your deployment) along with their private
keys to a secure location. Record the certificate configuration (what service
the certificate was used for).

All
certificates from the Trusted Certificates Store of the Primary Administration
Node. Record the certificate configuration (what service the certificate was
used for).

Disable PAN
Automatic Failover and Scheduled Backups Before Upgrade

Cisco ISE does not
support deployment changes when a backup is in progress. Ensure that you
disable the following configurations before upgrade:

Primary
Administration Node Automatic Failover—If you have configured the Primary
Administration Node for automatic failover, be sure to disable the automatic
failover option before upgrade.

Scheduled
Backups—Plan your deployment upgrade in such a way that you reschedule the
backups after the upgrade. You can choose to disable the backup schedules and
recreate them after upgrade.

Backups with a
schedule frequency of once get triggered every time the Cisco ISE application
is restarted. Hence, if you have a backup schedule that was configured to run
just once, be sure to disable it before upgrade.

NTP Server Should Be Configured Correctly and Reachable

During upgrade, the Cisco ISE nodes reboot, migrate and replicate data from the primary administration node to the secondary administration node. For these operations, it is important that the NTP server in your network is configured correctly and is reachable. If the NTP server is not set up correctly or is unreachable, the upgrade process fails.

Ensure that the NTP servers in your network are reachable, responsive, and synchronized during upgrade.

Record Profiler
Configuration

If you use the Profiler service,
ensure that you record the profiler configuration for each of your Policy
Service nodes from the Admin portal (Administration > System > Deployment
> <node> > Profiling Configuration). You can make a note of
the configuration or obtain screen shots.

If you use Active
Directory as your external identity source, ensure that you have the Active
Directory credentials and a valid internal administrator account credentials on
hand. After upgrade, you might lose Active Directory connections. If this
happens, you need the ISE internal administrator account to log in to the Admin
portal and Active Directory credentials to rejoin Cisco ISE with Active
Directory.

Activate MDM Vendor
Before Upgrade

If you use the MDM
feature, then before upgrade, ensure that the MDM vendor status is active.

Otherwise, the
existing authorization profiles for MDM redirect are not updated with the MDM
vendor details. After upgrade, you must manually update these profiles with an
active vendor and the users will go through the onboarding flow again.

Create Repository
and Copy the Upgrade Bundle

Create a repository
to obtain backups and copy the upgrade bundle. We recommend that you use FTP
for better performance and reliability. Do not use repositories that are
located across slow WAN links. We recommend that you use a local repository
that is closer to the nodes.

where aaa.bbb.ccc.ddd is the IP address or hostname of the SFTP server and ise-upgradebundle-1.4.x-to-2.2.0.x.x86_64.tar.gz is the name of the upgrade bundle.

Having the upgrade
bundle in the local disk saves time during upgrade. Alternatively, you can use
the
application upgrade
prepare command to copy the upgrade bundle to the local disk and
extract it.

Note

Ensure that you
have a good bandwidth connection with the repository. When you download the
upgrade bundle from the repository to the node, the download times out if it
takes more than 35 minutes to complete.

Check Load Balancer
Configuration

If you are using any
load balancer between the Primary Administration Node (PAN) and the Policy
Service node (PSN), ensure that the session timeout configured on the load
balancer does not affect the upgrade process. If the session timeout is set to
a lower value, it might affect the upgrade process on the PSNs located behind
the load balancer. For example, if a session times out during the database dump
from PAN to a PSN, the upgrade process may fail on the PSN.